By now, you've probably heard about the new regulation out of the EU that can impact your events. But if you haven't, here's a quick overview.
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
This has implications to your company if you have any attendees from the EU attending your events. It doesn’t matter if you are a US based company with an event taking place in the US. It has to do with the citizenship of your attendees. And EU regulators are able to authorize enforcement of this regulation in the US.
As the data controller, it’s your job to ensure you are have secure measures in place to obtain appropriate consent for communication with your EU attendees as well as proper data management of their information. And it’s also your job to ensure that your vendors do the same.
The GDPR doesn't provide specifications on exactly what you need to do; they have shared the security measurements required and leave it to you to determine what security you must have in place.
What is it?
There are three main components:
1) Right to access: an individual must consent to having their data used, and you need to be clear about what data is processed and the purpose of processing that data. Additionally, you must be able to provide the data subject with copies of their personal data at no charge, if requested.
This means you cannot email or send push notifications to any EU attendee unless they have opted-in to receiving messages from you. If you have an opt-in process in place, you may need to revisit the language to ensure any generic language around the use of the data is changed to specify the exact use of that data. You must also have clear opt-out procedures in place.
2) Right to be forgotten: if any individual requests to have their data removed, you must have a clear road map to ensure they are removed from all records that hold their information.
Consider the typical flow of user information from registration through your event app through excel files you store as well as archives. You must map out each of these areas to ensure the user is removed from all.
3) 72-hour Breach Notification Process
The GDPR has set a deadline of May 25th by when compliance is required. Non-compliance can result in a fine of 4% of the client’s annual global turnover (revenue) up to a maximum of 20 million Euros.
Here's our plan
At MeetingPlay, we've developed a road map to ensure compliance. Here are some of the steps we have taken:
1) Information Review: We've mapped out the path from when data is first received through to every point of engagement. As part of this, we have tracked what data we hold, where it came from, and any point at which it was shared. By doing so, we've been able to identify how we can delete personal data and provide data electronically, if requested.
2) Privacy Review: we have updated our privacy and consent notices. This includes updating our opt-in processes for all emails and communications. To this last point, we are stating the purpose for any data processing and clearly communicating that as part of our opt-in process. Our opt-in process will include plain language, with no pre-ticked boxes, and we will store attendee consent.
3) Document Data Breach process: We have a plan in place to detect, report, and investigate any potential data breach. And (as always) we are prepared to implement the plan within 72 hours in the event of a confirmed breach.
4) Employee Training Review: We are reviewing all employee training materials to ensure policies are up to date, as well as ensure employees are trained on the GDPR and all security guidelines.
5) Data Audits: We will be implementing data audits for each event to identify any personal data and data sharing with other approved vendors. We have also designed processes and technology for sending data securely via protected files and environments.
The information above isn’t meant to serve as legal advice. Your legal department needs to provide details and help you plan out next steps to ensure compliance.
Preparation is the key to success. If you haven't already, it's time for you to put a solid plan in place to ensure compliance by May 25th.